Experiment: Arppoison my machine and redirect it to a simple testpage. I used arpspoof for the arppoisoning, enabled ip forwarding and everything worked, as traceroute, ping, arp -a and wireshark told me. Because i didn't want to sniff, i disabled ip_forwarding on the attackers vm.

Now the questions: With ip forwarding the ethernet frame, with the ip packet containing the icmp message, was send to the attacker and than redirected/forwarded to the gateway. Wireshark also gave a message, like ICMP redirect, between the two machines. Without ip forwarding, the ethernet frame arrives the attacker, but as the ip packet is not for him, he doesn't answer and the victim gets an icmp unreachable. Same with DNS, HTTP and other traffic going over the gateway. First question: Why doesn't wireshark recognize, that a ethernet frame was send to the attacker (does it only show layer3+ protocols)? Second question: The ethernet frames are arriving the attacker, so if he wanted to stay unrecognized or redirect the victim to his own site/server he would write a program which reads the ip-packages and redirect them to himself plus he would ip-spoof the answer remaining the victim unaware. E.g.: An ICMP is send from the victim to the gateway. The ethernet frame arrives at the attacker, the attacker reads the ip packet of the frame, recognizes that it's an ICMP and answers?

Which means with a bit if iptables NAT, ip forwarding and maybe a bit of extra coding it would be able not to only sniff, but "to become the gateway" without actually being the gateway, or am I totally wrong? So if one uses a more quiet route of arp poisoning, like arp tabling or something else, it would be hard to detect intrusion of a MITM. How would you protect your network from that?

Last edited by b4sh on Tue Jan 08, 2013 10:37 pm, edited 1 time in total.

Reading your post is a bit confusing, probably because of lack of outputs, understanding your network configuration, conflicting scenarios, etc. However, let me try to answer some of your questions and see where we go...

Let's start with wireshark - it should capture all layers of data that crosses its path. If there is something missing, it's either because it didn't hit the system running wireshark, or there was too much information and not everything was captured (in a lab environment, that shouldn't be an issue).

As for turning off ip forwarding, that puts you in a passive mode in such that you won't be seeing any traffic between the victim and the rest of the world... fine for arp poisoning, but critical oversight for MITM. If you want to redirect the victim to testpage, you need to intercept its traffic and provide an alternative (unless you're looking to poison something like the IP address for google, or something along those lines (again, a better understanding of your network / lab / configuration would help here). And based on your second question (saying that the ethernet frame hits the attacker's system) indicates there might be some MITM occurring in your scenario... so ip forwarding should be employed.

As for being the gateway for the victim, that's absolutely doable and done frequently (again, with ip forwarding on). I think the root of the confusion in your post exists between the understanding of what arp poisoning is, and how you can incorporate MITM into arp spoofing... poisoning a table is one thing, conducting a MITM is more complex and certainly more noisy (unless again you're just trying to modify the victim's traffic pattern to a specific web site / system, like when they surf to google.com and it goes to whitehouse.com instead - and even then, you have to slam their arp table frequently enough to make it stick more than five minutes or so).

All that said, I may have muddied the waters more than you wanted (since I didn't really have a firm grasp on what you were attempting to do), so if you can provide a specific scenario, we can walk through it step by step.

thanks for your answers. My lab consists of 3 PCs and 1 Router. 1 Running an ssh and http server, 1 client and 1 attacker. The goal was to redirect the client to the attackers server, when he tried to connect to the real server. While experimenting I could answer the osi layer questions for myself.

I poisoned ARP for the server and for the client, so i was in the middle. Enabling ip forwarding and writing an iptables nat prerouting redirect chain, the client would join my server if he tried to connect with the real server on a specific port.

Now I will run a DNS on the attackers machine, arpspoofing the router and the victim and redirect all outgoing traffic on the attackers dns, which resolves every domain to the attackers ip.

My question is: How could the client prevent such attacks at home and in public networks, how could the admin prevent such attacks at home and in public networks and how could the server prevent such attacks? (in case of ssh i think the server is doing it by signatures, so the client should be wondering, if the signatures doesn't match)My goal is: Harden the lab, step by step, trying to find a workaround for every step for the attacker than harden it again. The important thing is, that I go step by step.

I think the key for preventing those attacks is to make arp spoofing as hard as possible, as for redirecting you have to be in the middle, if you haven't access to other machines in the network (like the dns). So an admin could make static ip addresses and static arptables. At least the clientpcs should have one static entry for the gateway. If the attacker is changing his MAC to the gateways MAC there could be a vulnerability though (havn't tried this one yet). But thats not a solution for a public network for everyone. The step for public networks could be a firewall, checking for arp flooding and blacklisting the spamer, so the attacker would have to find a more quiet solution.

Last edited by b4sh on Thu Jan 10, 2013 10:35 am, edited 1 time in total.

b4sh wrote:My question is: How could the client prevent such attacks at home and in public networks, how could the admin prevent such attacks at home and in public networks and how could the server prevent such attacks? (in case of ssh i think the server is doing it by signatures, so the client should be wondering, if the signatures doesn't match)

Preventing these attacks aren't really possible - you can mitigate them, but not eliminate them. There are network devices that can kick ARP spoofing systems off the network for a set time, which will help reduce the risk.

Also, encrypt, encrypt, encrypt. Connect to systems using certificates you can validate, some PKI infrastructure (Kerberos, for example), or shared keys. Don't accept connections to systems you cannot verify.